A blog about Cyber Security & Compliance

Month

July 2012

Google have had a long running battle with the UK Information Commissioner’s Office (ICO) on the subject of the retention of data collected when Google created its Street View maps and photos.

Clearly the ICO is upset and extremely annoyed at Google for not doing so in a timely fashion and this can only lead to further trouble for Google on a European wide basis.

An ICO spokesperson said:

“Earlier today Google contacted the ICO to confirm that it still had in its possession some of the payload data collected by its Street View vehicles prior to May 2010. This data was supposed to have been deleted in December 2010. The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010.

“In their letter to the ICO today, Google indicated that they wanted to delete the remaining data and asked for the ICO’s instructions on how to proceed. Our response, which has already been issued, makes clear that Google must supply the data to the ICO immediately, so that we can subject it to forensic analysis before deciding on the necessary course of action.

“We are also in touch with other data protection authorities in the EU and elsewhere through the Article 29 Working Party and the GPEN network to coordinate the response to this development.

“The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern.”

Like this:

In their July Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

Phishing attacks continue to increase around the world. In the first half of 2012, the RSA Anti-Fraud Command Center identified 195,487 unique phishing attacks, an increase of 19% as compared to the second half of 2011.

So why are fraud losses decreasing? One reason is that the industry is simply getting better at fighting back. A major factor in determining fraud losses caused by phishing is measuring the lifespan of an attack. The longer an attack is live, the more victims there are that are potentially exposed and at risk of having their credentials stolen. By reducing the lifespan of a phishing attack through early detection and shutdown, organizations narrow the window of opportunity for cybercriminals to commit fraud.

In the first half of 2012, the top ten countries that experienced the highest volume of phishing attacks include:

United Kingdom

United States

Canada

Brazil

Netherlands

There have been major increases in phishing attack volume in some countries, while in other countries, it has declined slightly. One of the most significant increases was in Canada where phishing increased nearly 400% in the first half of 2012. There have been many observations as to why the sharp increase, but the main reason is simply economics, fraudsters follow the money. See my previous blog “Criminal logic; follow the money and find easy targets”. With the Canadian and U.S. dollar being exchanged at nearly a 1:1 ratio, Canada has become a lucrative target for cybercrime.

On the other hand, the U.S. experienced a 28% decline in phishing volume in the first half of the year. Other countries that have seen phishing volume decrease include Brazil, the Netherlands, Germany, Australia and South Africa.

Phishing Attacks per Month

In June 2012, phishing volume grew considerably. RSA identified 51,906 unique phishing attacks, a 37% increase. The recent spike in phishing volume can be partly attributed to the advanced technology and fraud services offered by cybercriminals in the underground including ready-made spam databases, custom coded malware designed to automate site hijacking and the hosting of malicious pages, as well as sophisticated spambot services.

Number of Brands Attacked

Despite the huge spike in phishing volume, the number of brands targeted by phishing attacks throughout the month of June decreased 13%.

US Bank Types Attacked

In the U.S. financial sector, nationwide bank brands saw a 16% increase in phishing volume in June while credit union brands saw a 10% decrease and regional bank brands saw a 6% decrease.

Top Countries by Attack Volume

The UK endured the largest volume of phishing attacks in June, despite seeing a drop of 21% in attack volume (from 63% to 42%). Canada was the country with the second largest volume of attacks, with a considerable increase from 3% to 29% in June. A surprising newcomer, Norway, experienced 2% of phishing volume.

Top Countries by Attacked Brands

The U.S., UK and Australia remain the three countries whose brands are most affected by phishing – targeted by 43% of phishing attacks in June. Brands in India, Brazil, Canada, Italy and China also remained heavily targeted by phishing in June.

Top Hosting Countries

The U.S. continues to be the country that hosts the most phishing attacks. In June, six out of every ten phishing attacks were hosted in the U.S. Russia and Poland – both newcomers to the Top Hosting Countries list – hosted 5% of attacks.

Like this:

BDO’s interim 2012 “FraudTrack” report has some fascinating results concerning fraud trends in the UK and for the public sector it isn’t easy reading.

It is worth noting before reading the extract from the BDO report that the data only relates to frauds of £50,000 or over. This leaves a considerable amount of discussion on the decline or growth in smaller areas of fraud for instance Credit Card fraud which is never likely to exceed £50,000 due to improved fraud prevention techniques.

“Fraud reporting habits are increasingly being influenced by fear of reputational damage” says Simon Bevan, Head of Fraud Services at BDO LLP, as the accountancy firm releases its 2012 Interim FraudTrack report.

The report states that the total value of reported fraud plummeted to £424m between December 2011 and May 2012.

The report indicated

a 54% drop on last year’s figure against the 2011 figure of £920m

a 55% decline in the average value of fraud, which fell from £4.5m to £2m

an increase in the number of cases reported, with 212 cases between December 2011 to May 2012, in comparison with 204 in the same 2011 period

The report has a breakdown by sector

Public administration has seen the highest value of fraud reported in this 6 month period, accounting for almost £253m – 60% of the all fraud reported. This has fallen 41% from the 2011 figure of £431m.

The Finance & Insurance Sector accounts for 17% of all fraud in the period (£71m). This has fallen 74% from 2011 when the recorded figure was £274m.

Fraud in the retail sector stands at £49m, just 12% of the total figure. However, this has risen dramatically from last year’s figure of £11m – a fourfold increase.

Simon Bevan commented: “The only sector where we’ve seen an increase in the value of fraud reported is in retail. This is a sector which is currently under a lot of pressure, so this isn’t particularly surprising. Fraudulent activity is often uncovered when businesses are paying closer attention to their finances, especially in situations such as property acquisition and store refurbishment.”

Breakdown by type of fraud

Tax fraud accounts for the greatest amount, at £249.5m – 59% of all fraud for this period.

After tax fraud, management fraud accounts for 9% (£39m).

Mortgage fraud is down dramatically from last year’s figures, currently sitting at around £9m (just 2% of total fraud) in comparison to last year’s £82m.

Employee fraud counts for £34m (around 8%) – again, down significantly on the same period last year (£192m).

Procurement fraud has dropped dramatically, from £25m last year to £3m in 2012.

Third party fraud has more than halved in the same period from £78m between December 2010 and May 2011, to £30m in the last 6 months.

Breakdown by location and for the first time in 6 years, London has not been the location with the highest amount of reported fraud.

The Midlands: £184m

London: £165m

North East: £38m

East Anglia: £16m

North West: £9m

West Country: £5m

National: £4m

Northern Ireland: £1m

Wales: £1m

Scotland: £700k

Simon Bevan commented: “This really is a dramatic fall. This year’s interim figures are not even a quarter of last year’s total, which was more than £2bn between December 2010 and November 2011. That said, it’s important to remember that these only represent fraud which is reported to the police. In fact, it is in the area of civil investigations and prosecutions in which BDO is most active. We certainly haven’t seen less fraud occurring.

So what does it tell us? Despite this drop in value, we’re actually seeing more cases going through the system, but of lower value. We suspect that organisations are only bringing in the authorities for small, relatively simple frauds. If that’s the case, I’m in no doubt that reputation management is a key factor in this decision. Organisations just don’t want to air their dirty linen in public. It would appear that the police are no longer the first port of call when it comes to dealing with the larger, complex frauds that can be so damaging to reputation.

We’ve certainly seen this in our own work. Whilst quantum has historically been the key driver for our appointment in fraud investigations, reputational issues have become much more important. Organisations are increasingly aware of the impact that reputational damage can have in terms of loss of earnings, loss of future customers, unsettled employees, increased regulatory oversight and damage to share price, amongst other things!

There are other reputational issues at stake that can have far reaching consequences. Take for example a case where a fraudster convinces the accounts payable team to change supplier contact details and bank account details. This is a simple fraud but something we are seeing increasingly, the result being that millions are then paid away to a bogus account. The reputational impact of a supplier not receiving their payment on time is significant. Such circumstances could force that supplier to reconsider their association with you and ultimately affect your ability to run your organisation. Most frauds like this one are not complex and could easily be prevented by simple due diligence, but one thing they do have in common is their impact on your reputation”.

Like this:

Anecdotal information shows that small businesses are just as likely to become victims of an attack as large businesses.

Why?

Criminals do not discriminate, a dollar is a dollar, a credit card is a credit card, no matter where it is stolen from.

Small businesses cannot invest as much in protection, management, procedures and processes as larger businesses.

Smaller businesses are often the last to discover, understand and therefore achieve compliance, for example PCI DSS. Compliance is described as a painful process but PCI DSS offers a detailed and defined set of requirements which will allow a business to secure all types of information and not just credit cards.

Malware (Viruses, Trojan’s, etc.) does not know the difference between small and large business, in an automated attack malware tools just look for weaknesses.

The story so far looks like the criminals gained access to the store’s systems remotely and siphoned off the cards’ magnetic stripe data and then creating counterfeit cloned cards which resulted in thousands of dollars in fraud and affected a high percentage of the town’s population, and significantly almost 25% of the local Police force.

The sad thing is from my own experience of running a small business it is customer loyalty that often makes the difference between being profitable and going bust and incidents like this always affect a customer’s perception of the business.

Large business can employ a PR Agency, send lots of letters, offer discounts and let a branch ride out the storm until people have forgotten about the breach, all of which a small business could not afford to do.

So what can small businesses do?

The first thing is to assume that you may become a target because the criminals use tools which try to find vulnerable business every minute and hour of the day.

Ensure you have the IT Security basics in place, Firewall, Anti-Virus, etc. and use the auto updates for the technology.

Make sure all your IT devices, not just your desktops and laptops but your tills and EPOS devices all have their software updated/patched regularly, if it is available turn on auto-updates.

Train your staff to understand what their responsibilities are and how to report issues and suspicions. A reward scheme might help.

I know it is difficult for small business owners to find the time but read the PCI DSS guidelines and the Self Assessment Questionnaire (SAQ) but it is an excellent start to a secure business. If you have any questions about which SAQ is needed or any other questions ask your bank they are as concerned about your security as you are.